Cyber-Attack Detection on an Industrial Control System Testbed using Dynamic Watermarking

A Power Grid Application

Master thesis (2022)

Authors

G.W. van den Broek Mechanical Engineering

Contributors

Riccardo M.G. Ferrari Team Riccardo Ferrari - Mechanical, Maritime and Materials Engineering (supervisor 1)
T. Keijzer Team Riccardo Ferrari - Mechanical, Maritime and Materials Engineering (supervisor 1)
Faculty
Mechanical Engineering
Copyright: © 2022 Geert van den Broek
Industrial Control System Dynamic Multiplicative Watermarking Automatic Generation Control Load Frequency Control Data integrity attack Scaling attack Replay attack Hardware-In-the-Loop Testbed
More Info
expand_more

Published Date

25-08-2022

Language

English

Reuse Rights

Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.

Faculty

Mechanical Engineering

Abstract

An Industrial Control System (ICS) is used to monitor and control industrial processes and critical infrastructure, and is therefore crucial to modern society. This makes them attractive targets for malicious cyber-attacks, which have become more advanced and abundant in recent history. To properly defend ICSs from these cyber-attacks, appropriate cyber-defensive mechanisms should be continuously designed and updated, cyber-attack detection mechanisms included. These mechanisms should undergo sufficient testing before being implemented in actual ICSs to minimise unforeseen consequences. Existing literature indicates that Dynamic Multiplicative Watermarking (DMWM) is a promising form of cyber-attack detection, which could improve overall detection performance. Thus far, this technique has not yet been applied to Automatic Generation Control (AGC) (a prominent form of Load Frequency Control (LFC) in power grids) to detect data integrity attacks (specifically scaling and replay attacks).

Ergo, this research aims at testing the performance of DMWM against data integrity attacks on AGC. To perform attack detection, a Luenberger observer it utilised. This observer generates a residual, which is compared to a robustly designed threshold. For the purpose of adequate testing, the HILDA (Hardware-In-the-Loop Detection of Attacks) testbed is designed and constructed. By using this testbed, more realistic scenarios can be simulated than with regular desktop simulations. After verifying the correct construction of the testbed, the DMWM performance is examined both on a desktop simulation environment using MATLAB & Simulink, and on the HILDA testbed. It is shown that the addition of DMWM increases the detection performance in the context of both scaling and replay attacks. For replay attacks, this performance increases notably, while for scaling attacks the improvement is more modest. It is shown that, overall, the attacks are detected more quickly when simulated on the HILDA testbed compared to simulations performed on the MATLAB & Simulink environment. On the other hand, the overall detection ratio was better when simulated on the MATLAB & Simulink environment. This discrepancy in detection performance demonstrates the added value of the HILDA testbed.